community-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rich Bowen <rbo...@rcbowen.com>
Subject Re: Use of MD5 and SHA1 for download verification
Date Fri, 27 Jan 2017 17:04:05 GMT
On 01/26/2017 01:20 PM, Mike Lissner wrote:
> I filed a bug about this already, but I've been directed to email here
> instead. The bug I filed is:
> https://issues.apache.org/jira/browse/INFRA-12626
> 
> Basically, on download pages we provide obsolete hashes for our downloads
> (MD5 and SHA1). These are meant, as I understand it, to serve two purposes.
> First, they allow you to make sure that your download succeeded. Second,
> they allow you to ensure that your download wasn't tampered with.
> 
> For the first purpose: Great. They work. For the second purpose, however,
> we need to move away from MD5 and SHA1 hashes, both of which can now be
> attacked with relatively modest hardware.
> 
> Browsers are moving away from SHA1 at a very fast pace. See:
> 
> https://security.googleblog.com/2014/09/gradually-sunsetting-sha-1.html
> 
> And:
> 
> https://blog.mozilla.org/security/2014/09/23/phasing-out-certificates-with-sha-1-based-signature-algorithms/
> 
> I don't know who's responsible for this, but my bug was closed because it's
> not the infrastructure team, and so I'm trying here.
> 
> I suggest we move to SHA2 hashes for all verification purposes.

So ... what other folks said, for sure, but, two points.

1) each project community does this kind of thing largely independently

2) I encourage you to get involved with the communities themselves, and
make this happen. If you feel strongly about it, go make better hashes
for the project(s) you care about. Show us how it's done. Lead by
example, and the projects will pick up your example and do it. I presume
that mechanically it's a very simple step to add to our release
processes, right?

-- 
Rich Bowen - rbowen@rcbowen.com - @rbowen
http://apachecon.com/ - @apachecon


Mime
View raw message